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Abstract 


In  this  paper  we  attempt  to  unify  and  extend  the  various  approaches  to  synthesizing  fully 
testable  sequential  circuits  that  can  be  modeled  as  finite  state  machines  (FSMs).  We  first 
identify  classes  of  redundancies  and  isolate  equivalent-state  redundancies  as  those  most 
difficult  to  eliminate.  We  then  show  that  the  essential  problem  behind  equivalent-state 
redundancies  is  the  creation  of  valid/invalid  state  pairs.  We  devote  the  remainder  of  the 
paper  to  techniques  for  developing  differentiating  sequences  for  valid/invalid  state  pairs 
created  by  a  fault,  as  well  as  to  techniques  for  retaining  these  sequences  in  the  presence  of 
that  fault. 


A  variety  of  techniques  have  been  proposed  to  address  this  problem.  At  one  end  of  the 
spectrum  there  are  optimal  synthesis  procedures  that  ensure  full  testability  by  eliminating 
redundancies  via  the  use  of  appropriate  don’t  care  sets.  At  the  other  end  of  the  spectrum 
there  are  constrained  synthesis  procedures  that  produce  fully  and  easily  testable  sequential 
circuits  by  restricting  the  implementation  of  the  logic.  The  optimal  synthesis  procedures 
require  fewer  constraints  on  the  logic  but  increase  the  expense  of  logic  optimization  to  the 
point  that  CPU  time  requirements  may  be  unacceptable.  The  constrained  synthesis 
procedures  require  relatively  simple  logic  optimization  procedures  but  constrain  the  logic 
to  the  point  that  the  area  penalty  may  be  unacceptable.  __  r 


In  this  paper  we  use  the  notion  of  fault-effect  disjointness  to  explore  the  landscape  between 
these  two  boundaries  and  demonstrate  a  spectrum  of  methods  that  place  relatively  more- 
or-less  emphasis  on  either  logic  optimization  or  constrained  synthesis.  Techniques  used  in 
this  exploration  include  fault  simulation.  Boolean  covering,  algebraic  factorization  and 
state  assignment. 


We  present  experimental  results  using  the  new  synthesis  procedures  as  well  as 
comparisons  to  previous  approaches. 
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Abstract 

In  this  paper,  we  attempt  to  unify  and  extend  the  various  ap¬ 
proaches  to  synthesizing  fully  testable  sequential  circuits  that  can 
be  modeled  as  finite  state  machines  (FSMs).  We  first  identify 
classes  of  redundancies  and  isolate  equivalent-state  redundancies 
as  those  most  difficult  to  eliminate.  We  then  show  that  the  es¬ 
sential  problem  behind  equivalent-state  redundancies  is  the  cre¬ 
ation  of  valid/invalid  state  pairs.  We  devote  the  remainder  of 
the  papei  to  techniques  foi  developing  differentiating  sequences 
for  valid /iuvalid  state  pairs  created  by  a  fault,  as  well  as  to  tech 
uiques  foi  retaining  these  sequences  in  the  presence  that  fault 

A  variety  of  techniques  have  been  proposed  to  address  this  prob¬ 
lem.  At  one  end  of  the  spectrum  there  are  optimal  synthesis  pro¬ 
cedures  that  ensure  full  testability  by  eliminating  redundancies 
via  the  use  of  appropriate  don't  care  sets.  At  the  other  end  of 
the  spectrum  there  are  constrained  synthesis  procedures  that  pro¬ 
duce  fully  and  easily  testable  sequential  ciicuits  bv  restricting  the 
implementation  of  the  logic.  The  optimal  synthesis  procedure' 
require  fewei  constraints  on  the  logic  but  increase  the  expense  of 
logic  optimization  to  the  point  that  CPU  time  requirements  may 
be  unacceptable.  The  constrained  synthesis  procedures  require 
relatively  simple  logic  optimization  procedures  but  constrain  the 
logic  to  the  point  that  the  area  penalty  may  be  unacceptable. 

In  thi'  papei  we  use  the  notion  of  fault-effect  disjomtnes «  to 
explore  tie  landscape  between  these  two  boundaries  and  demon- 
stiate  a  spectrum  of  method'  that  place  relatively  more-oi-less 
emphasis  on  eitliei  logic  optimization  01  constrained  synthesis. 
Techniques  used  in  thi'  exploiation  include  include  fault  siiuula- 
'ici..  Boolean  covering,  algebraic  factorization  and  state  assign¬ 
ment. 

We  present  experimental  results  using  the  new  synthesis  proce- 
duies  as  well  as  comparisons  to  previous  appioaches. 


1  Introduction 

(  an  a  *equcnii*l  rimiii  )>♦*  complclelv  i***ied  without  adding  wan  logic? 
T  In*  i*  pf»t  )ia|>*  t  he  mo*i  opt* it  problem  in  t  he  area  of  test  ing.  One  nat¬ 
ural  approach  to  solving  this  problem  i*  to  improve  current  sequential 
lest  generation  algorithms.  The  primary  drawback  to  litis  approach 
is  that  circuit  sizes  are  increasing  so  quirk!}  that  even  significant  im¬ 
provements  in  sequential  test  generation  algorithms  cannot  keep  up.  A 
radical!}  different  approach  is  synthesis  for  sequential  testability  In 
this  approach  it  is  ihe  structure  of  the  circuit  itself  that  is  modified  to 
produce  full}  testable  designs. 

The  idea  that  logic  synthesis  and  optimization  can  have  a  very  pro¬ 
found  effect  on  the  testabilit  y  of  a  svnthesized  combinational  or  sequen¬ 
tial  circuil  has  been  recognized  |(>J.  The  relationship  between  testa¬ 
bility  and  Boolean  minimization  for  two-level  combinational  circuits 
dates  back  to  the  Quine-McCluskey  algorithm  [101.  Notions  of  prime 
implicauts  and  irredundant  covers  are  basic  to  ail  two-level  Boolean 
minimization  procedures  and  these  imply  immunity  to  stuck-at  fault 
redundancies  in  two-level  combinational  circuits,  initial  work  in  the 
area  of  multi-level  logic  synthesis  and  testability  involved  the  use  of  im¬ 
plication  procedures  to  eliminate  redundancies  in  combinational  logic 
circuits  [2J.  The  relationships  between  redundancies  and  don't  cares  in 
combinational  circuits  was  more  thoroughly  investigated  in  ll),  where 
the  notions  of  primality  and  ^redundancy  were  generalised  for  multi¬ 
level  circuits.  Recent  work  in  synthesis  for  testability  has  been  able  to 
ensure  complete  multiple  fault  testability  for  multi-level  combinational 
logic  circuits  |9). 

Relationship  between  sequential  logic  synthesis  and  non-scan  sequen¬ 
tial  circuit  testability  are  equally  intimate.  Scan  logic  appears  to  be 


less  necessary  for  ensuring  the  testability  of  datapath  portion*  of  cii- 
cuils  because  datapat  h  port  ions  have  less  feedback  fl  1]  pj  Asa  result . 
the  remaining  challenges  in  synthesizing  sequentially  testable  circuit* 
are  to  synthesize  fully  /easily  testable  control  portions  and  to  combim- 
these  with  datapath  portions.  Control  portions  are  most  commonly 
implemented  as  finite  state  machines  (FSMs). 

In  this  paper,  we  attempt  to  unify  and  extend  the  various  approach** 
to  synthesizing  fully  testable  sequential  circuits  that  can  be  model**!  a* 
finite  slate  machines  (FSMs).  We  first  identify  claase*  of  redundancy* 
and  isolate  (quivalni1-t:1a1<  redutidancif s  as  those  most  difficult  to  elim¬ 
inate.  We  then  show  t lint  the  essential  problem  behind  equivalent-stair 
redundancies  is  the  ciealiou  of  valid/invalid  stale  pair*.  \\e  devote  1  h< 
remainder  of  the  paper  to  technique*  for  developing  diff*  ifuhalmt] 
qunicfs  for  valid/invand  state  pairs  created  by  a  fault,  as  well  as  to 
techniques  for  retaining  these  sequences  in  the  presence  that  fault. 

A  variety  of  techniques  have  been  proposed  to  address  tins  problem 
At  one  end  of  the  spectrum  ihere  are  optimal  synthesis  procedure*  that 
ensure  full  testability  by  eliminating  redundancies  via  the  u*e  of  ap 
propriate  don’t  care  sets.  At  the  other  end  of  the  speclnun  linn-  ai. 
constrained  synthesis  procedures  ihai  produce  fully  and  easily  tesiahh 
sequential  circuits  by  restricting  the  implementation  of  the  logic  J  n* 
optimal  synthesis  procedures  require  fewer  constraints  on  the  logic  hm 
increase  the  expense  of  logic  optimization  to  the  point  that  CPI  iiiih  i»  •• 
quirements  may  be  unacceptable.  The  const  rained  synthesis  procedure* 
require  relatively  simple  logic  optimization  procedures  but  con«iiam  1  h* 
logic  to  the  point  that  the  area  penally  may  be  unacceptable. 

Ill  this  paper  we  use  the  notion  of  cl  difjnntlnr**  to  exphn* 

the  landscape  between  these  two  boundaries  and  demoust raie  *  *.p. « . 
trum  of  methods  ihai  place  relatively  more-ot-le**  emphasis  on  rui..-; 
logic  optimization  oi  constrained  synthesis.  Techniques  u*ed  in  1 1s r-  ex¬ 
ploration  inchxle  include  fault  simulation.  Boolean  covriing.  alg*biau 
faciorizai ion  and  state  assignment . 

Finaffy.  we  present  experiment*/  and  analy  i real  rompai  i*on*  b»  i  we**r. 
various  testability-driven  synthesis  procedures  that  provide  insight*  as 
to  the  relative  merits  of  the  different  procedures. 

Basic  definitions  and  terminology  are  given  in  Section  2.  In  Section 
3.  we  review  (he  types  of  sequential  re<Jundaucte<  in  FSMS  In  Section 
A  we  describe  general  methods  for  removing  «oni"  classes  of  redundan. 
cies  and  review  theorems  regarding  unconditional  testability  of  fault* 
in  sequential  circuits.  In  Section  ■).  wo  presen i  the  notion  of  differenti¬ 
ating  sequences  and  describe  a  generic  synthesis  pi oced me  that  result'- 
in  fully  testable  sequential  machine*.  \\e  then  present  a  imilicaimii 
of  syi*lhesis-for-testal)ility  approaches  under  the  umbrella  of  a  concept 
strongly  related  to  different  iai  mg  sequences.  fault -effect  dt«joini  n****. 
and  show  (hat  previous  synthesis  approaches  can  be  viewed  as  spe. 
rial  ca*«*s  of  Ihe  generic  synthesis  procedtire.  In  addition,  we  describe 
new  Boolean  covering  ami  algebraic  factorization  technique*  that  repir- 
sent  intermediate  solutions  to  the  problem  of  synthesizing  fully  testable 
sequential  machines.  Preliminary  experimental  results  using  the  new 
synthesis  procedure  proposed  here  as  well  as  comparisons  to  previous 
techniques  are  given  in  Section  G. 


2  Preliminaries 

A  variable  is  *  symbol  representing  *  single  coordinate  of  the  Boolean 
•pare  (c.j.  o).  A  literal  is  a  variable  or  ils  negation  (r.j  a  or  77).  A 
cube  is  a  sel  C  of  literals  siirlt  that  r  €  C  implies  7  (  C  (c.j..  {ci.fr.  7} 
is  a  eube.  ancNn.il)  is  not  a  rube).  A  eulre  represents  the  conjunction 
of  ils  literals.  The  trivial  mires,  written  0  and  I.  represent  the  Boolean 
functions  0  and  I  reeiiec  lively.  An  expression  is  a  net  /  of  cubes.  Foe 
example.  {(«).  {6.7}  j  is  an  expression  consisting  of  the  two  rulre*  jn) 
and  {4. 7).  Alt  expreasion  represents  the  disjunction  of  its  cube*. 

A  eube  mey  also  Ire  written  a a  a  bit  vector  on  a  eel  of  variables  with 
each  bit  position  representing  a  distinct  variable.  The  values  taken  In 
each  bit  can  be  1.  0  or  2  (or  -  or  don't  care),  signifying  the  true  fomi. 
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negated  form  and  nou-exislence  respectively  of  the  \ariable  correspond 
ing  to  that  position.  A  minterm  is  a  cube  with  only  0  and  1  entries. 

A  finite  stale  machine  (FSM)  is  represented  by  its  State  Transition 
Graph  G{\ .  E.\Y{E))  where  \  is  the  set  of  vertices  corresponding  to 
the  set  of  states  5.  An  edge  joins  r,  to  t }  if  there  is  any  vector  of  priman 
input  values  that  causes  t lie  FSM  to  evolve  from  state  r,  to  state  v}. 
«'(£)  is  a  set  of  labels  attached  to  each  edge.  For  the  purposes  of  this 
pa|HM.  we  define  each  label  as  an  ordered  4-tuple  <  i,s.s  ,o  >  where  » 
is  a  minferm  over  the  primary  inputs,  s  and  s  are  midterms  over  the 
state  variables  and  o  is  a  minterm  over  the  primary  outputs.  The  pair 
<  s  .  o  >  corresponds  to  a  minterm  in  the  output  plane  of  a  truth-table 
representation  of  the  FSM.  for  each  edge  we  will  refer  to  the  set  of  all 
such  pairs  as  the  output- labels  of  that  edge.  This  label  carries  the 
information  of  the  value  of  the  outputs  and  next-state  resulting  from 
the  transition.  The  pair  <  ».s  >  corres]>onds  to  a  minterm  in  the  input 
plane  of  a  truth-table  representation  of  the  FSM:  for  each  edge  we  will 
refer  to  the  set  of  all  such  pairs  as  the  input-labels  of  that  edge.  This 
label  carries  the  information  of  the  value  of  the  iuputa  and  previous- 
state  that  caused  the  transition.  1 

We  denote  the  primary  input  combination  and  present  state  corre¬ 
sponding  to  an  edge  or  s el  of  edges  as  i  o  s.  where  i  and  s  are  cubes 
oxer  the  set  of  inputs  and  stales  respect  ively.  The  fanin  of  a  state,  q  is  a 
set  of  edges  and  is  denoted  fanni(q).  The  fanout  of  a  state  q  is  denoted 
fanoul(q).  The  output  and  t he  fanout  state  of  an  edge  (:  <§’  s)  €  E  are 
o((»  $))  and  »(t i  <i  5)1  €  V  respectively. 

A  starling  oi  initial  state  is  assumed  to  exist  for  a  machine,  also 
called  the  reset  state.  Given  a  logic-level  finite  state  machine  with 
At  latches.  2A*  possible  states  exist  in  the  machine.  A  state  which 
can  be  reached  from  (he  reset  state  via  some  input  vector  sequence  is 
called  a  valid  state  in  the  STG.  The  input  vector  sequence  is  called  the 
justification  sequence  foi  that  state.  A  state  for  which  no  justification 
sequence  exi*i*  i«  railed  an  invalid  state.  Given  a  fault  F.  the  STG  of 
the  machine  with  the  fault  i*  denoted  Gr .  A  differentiating  sequence 
for  states  st  and  in  a  machine  is  a  sequence  of  inputs  »j  . . .  ».v  such 
that  if  the  machine  begins  in  state  sj.  the  output  associated  with  input 
i\  is  different  than  if  the  machine  begin*  in  slate  sj.  Two  states  in  a 
STG  G  are  equivalent  if  they  do  not  have  a  differentiating  sequence. 

A  STG  6 1  is  said  to  be  isomorphic  to  another  STG  Gj  »f  and  only 
if  they  are  identical  except  for  a  renaming  of  stales. 

The  fault  model  assumed  t*  single  stuck-at.  A  finite  state  machine 
i*  assumed  to  be  implemented  by  combinational  logic  and  feedback  reg¬ 
isters.  Tests  are  generated  for  stuck-at  faults  in  the  combinational  logic 
par' 

A  primitive  gaie  in  a  net \\ oik  i*  prime  if  none  of  its  inputs  can  be 
remoxed  without  causing  the  resulting  circuit  to  be  functionally  diffei- 
ent.  A  gate  is  irredundant  if  its  removal  causes  the  resulting  circuit  to 
be  functionally  different.  A  gate-level  circuit  is  said  to  be  prime  if  all 
t he  gates  are  prime  and  irredundant  if  all  the  gates  are  irredundant. 
It  can  be  shown  that  a  gate-level  circuit  is  prime  and  irredundant  if  and 
onlx  if  it  is  ;00(/  testable  for  all  single  stuck-at  faults. 

We  differentiate  between  two  kind*  of  redundancies  in  a  sequential 
circuit.  If  the  effect  of  the  fault  cannot  be  observed  at  I  lie  primary 
outputs  or  the  next  state  lines,  beginning  from  any  stale,  with  any 
input  vector,  the  fault  is  deemed  combinationally  redundant.  A 
sequentially  redundant  fault  i*  a  fault  that  cannot  be  detected  by 
any  input  sequence  and  is  not  combinationally  redundant. 

To  detect  a  fault  in  a  sequential  machine,  (lie  machine  has  to  be 
placed  in  a  state  which  can  1  lien  excite  ami  propagate  the  effect  of  the 
fault  to  the  primary  outputs.  The  first  step  of  reaching  the  state  in 
question  is  called  state  justification.  The  second  step  is  called  fault 
excitatiou-and-propagation. 

An  edge  in  a  STG  of  a  machine  is  said  to  be  corrupted  by  a  fault  if 
either  the  fanout  state  or  an  output-label  of  this  edge  is  changed  because 
of  (lie  existence  of  the  fault.  A  path  in  a  STG  is  said  to  be  corrupted  if 
at  least  one  edge  in  the  path  has  been  corrupted. 

Internal  single  stuck-at  faults  in  a  logic  network  are  faults  on  internal 
lit  es  (not  primary  input  or  primary  outputs)  that  are  not  equivalent  to 
single  or  multiple  primary  output  stuck-at  faults. 


3  Redundancies  in  Sequential  Circuits 

lit  this  section  we  characterise  redundancies  in  sequential  machine*.  We 
preaenl  two  views  of  tli—  redundancies  by  looking  at  tit—  effect  of  a 
fault  on  the  faulty  State  Transition  Graph  a*  well  a*  on  the  gate-level 
implementation  of  the  machine. 

1  The  rea-tei  need  noi  be  concerned  over  lliie  rattier  verboee  dccriprion  of  an  F5M : 
it  e  need  onjv  for  nolalioiial  convenience  in  the  proof,  and  none  of  the  algorithm, 
require  M 
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Figure  1:  A  Sequential  C  ircuit 


A  general  model  of  a  sequential  circuit  S.  implement  iug  a  single  FSM 
is  shown  in  Figure  1(a).  Gales  in  (lie  combinational  network  may  be  m 
the  cone  of  the  output  logic,  the  inxt-stalr  logic,  or  both  The  State 
Transition  Graph  corresponding  to  one  such  machine  is  show  n  in  Figui^ 
Mb). 

Redundant  faults  in  5  may  be  combinationally  redundant  (CRF*) 
or  sequentially  redundant  (SRFs).  Combinationally  redundant  CR f  < 
can  be  eliminated  via  combinational  logic  optimization  alone  [21  ll' 
ajid  will  not  be  discussed  here.  Sequentially  redundant  fault*  Van  !>♦• 
classified  into  three  categories  [8]. 

1.  tuvah<i‘Sla1(  /nulls:  The  fault  does  not  corrupt  any  fanout  edge  0( 
a  valid  state  in  the  STG.  but  does  corrupt  the  fanout  edge  of  an 
invalid  stale. 

2.  isouioi  fthtr  /nulls:  The  fault  r«*«ull*  in  «  faulty  marliiiu  ifict  i- 
isomorphic  (with  a  different  enrodiugl  to  the  original  marlur* 

3.  (qinrolmt. staff  /nulls:  The  fault  can****  the  iiitercliange/cieai  Km 
of  equivalent  stale*  in  the  ST 

Ill  (8).  it  was  shown  that  any  sequential  redundancy  nui«i  fall  into  on* 
of  these  cla.**ifrca lions. 

Let  us  now  look  at  some  examples  of  these  faults  \  faulty  VJ 
responding  to  an  nn  ah<i-s1a1<  SHI  i*  show  n  in  Figure  2(b>  Only  faiM.-;- 
edges  from  au  invalid-state  have  been  cortupu-d  T  in*  coirespninU  : . ■ 
either  output /next-«tair  logir  that  i*  not  combmai  lonally  r«-dund. 
but  require*  foi  detection  that  the  state  regi*ter  of  the  machine  be  hlb. 
with  a  slate  code  that  doe*  not  correspond  to  any  \*hd  *t*t«  l  ie - 

redundancies  actually  do  occur  m  ptactic.  when  I  he  next  -st  ate  iop-<  . 

been  optimized  independently  of  the  state  assignment 

The  effects  of  an  » soinovphism  5/f/  are  shown  in  Figme  .  wl,  i<  an 
isomorphic  faulty  machine  (equivalent  to  the  true  machine)  t*  depicted 
in  which  s'2  and  $3  have  been  interchanged.  This  occurs  when  th< 
next -slate  logic  in  I  lie  good  machine  which  produced  the  stale  cod* 
associated  with  s2.  now  produces  the  slate  code  for  *3.  and  net  tttsr. 
Furthermore,  the  output  logic  is  simultaneously  modified  by  th-  faith 
in  such  a  way  that  the  out  pula  due  to  state  codes  *2  and  s3  are  al*o 
swap|>ed. 

In  Figure  J(b).  note  that  states  s2  and  si  are  equivalent  state*  An 
t  quit-ah  iil-stah  SHT  in  S  may  produce  the  faulty  STG  of  Figure  2lai. 
where  the  only  input -label  Associated  with  the  edge  <  si.  *2  >  is  moved 
to  a  new  edge  <  si.  s\  >.  Furthermore,  the  fault  does  not  rhantte 
the  terminal  behavior  of  S.  A*  s2  ami  *4  are  equivalent,  the  fault  i* 
undetectable.  This  correspond*  to  a  logic  level  change  such  that  when 
the  state  register  holds  i he  code  for  si.  on  the  input  “0”  the  faulty  next- 
state  logic  produces  the  stale  code  for  si  rather  than  (he  state  code  foi 
s2. 

Creating  an  irredundani  sequential  machine  entail*  eliminating  the 
sources  of  redundant  faults.  In  the  next  section  we  describe  some  gen- 
eral  procedures  which  eliminate  the  isomorphism  SRFs  and  invalid-state 
SRFs.  and  partially  eliminate  equivalent-state  SRFs. 

4  Eliminating  Redundancies  in  Sequential 
Circuits 

In  thi*  section.  we  will  sioer  general  methods  for  eliminating  certain 
classes  of  redundancies  t;  i  tial  circuit*.  Me  will  shou  that  simple 
procedures  may  elimiiial.  i-slate  and  isomorphism  SRFs.  but  t lie 
difficulty  in  synthesizing  fu. .  .e*  table  sequential  marhines  is  in  elimi¬ 
nating  equivalent-stale  SRFs.  2  Find,  we  give  two  results  that  relate 
to  the  elimination  of  all  three  rlaases  of  SRFs. 

Ml  msv  be  aorllt  m.ling  tier,  that  rteepile  llte  apparent |,  peafer  couiptevil V  ,,f 
•eyueni  ia)  lesi  general  ion  relative  I..  rranleiial ,.,ial  leal  (rn-talinn  Hu.  p„J>|*„,  „ 


Figure  2:  3  Types  of  Sequential  Redundancies 


4.1  Theorems  Regarding  Unconditional  Testability 

Variation*  of  i lie  re«u)i«  below  wei*’  proven  in  [e]  [c.J  Lemma  4.1. 
Tlieomn*  -1.2  and  4.4 ). 

Lemma  4.1  :  Gxen  a  reduced  seqix  vital  machine  ('im/i/nuni/frf  ns  in 
Figure  ])  iitlh  .V,  <  2”  stales.  iihere  u  is  fli *  number  cf  latches  hi  tlx 
ninfli i in  .  nil  sniglf  slucL-af  /nulls  on  1/x  primary  input  (PI  )/presevt 
slolt  (PS)  lux  s  ond  nil  smglt  mid  multiple  s1urL.nl  /nulls  on  primary 
onlpul  ( PO )/ix xt. state  Inxs  (\SI  an  If  stable .  i/  llx  combinational  logic 
o/  llx  machine  is  prime  and  n  ndundanl  mlh  resptd  to  llx  hnahd  state 
don't  cart  .s tf. 

Thi*  lemma  u*efnllv  allow*  u*  to  limit  out  consideiat ion  of  fault*  foi 
am  machine.  as  long  as  we  have  made  die  combinational  logic  prime 
ami  iriedundant 

Theorem  4.1  :  Giren  n  reduced  sequential  machine  t nth  2"  slate s. 
ii  lit  re  u  is  tlx  numbn  o/  latches  no  llx  machine,  t/  tlx  combinational 
logic  o/  tlx  machine  is  prime  and  irrednndanl  and  is  implemented  tn 
tie  o  Jerri  /onn  or  afge  braicaliy  /adored  multiJerel  form,  then  the  ma¬ 
chine  is  fully  testable  /or  all  single  stucL-al  faults  in  the  combinational 
logic 

Proof:  The  terminal  behawor  of  a  reduced  machine  will)  2”  states 
can  oid>  be  realized  b>  a  machine  with  >  2"  state*  No  fault  in  the 
machine  can  increase  t he  mind-et  of  states  in  the  machine.  Therefore, 
the  number  of  stale*  in  the  fault)  SI  G  f/  for  an)  fault  F  is  less  than 
or  equal  to  2".  If  (Gr|  <  2”.  then  F  i«  testable,  since  GF  cannot  realize 
t lie  terminal  behavior  of  the  true  5T<i  G.  If  \GF\  =  2”.  then  GF  ha* 
to  be  isomorphic  to  G  in  order  to  realize  the  terminal  behavior  of  G. 

Isomorphism  implies  an  interchange  of  states  and  associated  edges 
in  the  STG  of  a  machine.  By  Lemma  4.1.  we  only  have  to  consider 
internal  stuck-ai  faults  in  the  two-level  or  algebraically  factored  multi¬ 
level  network.  If  for  each  internal  fault,  the  parit)  of  inversions  is  the 
same  (either  odd  or  even)  for  all  pallia  to  the  next-slate  latches,  then 
isomorphism  SHFs  will  not  occur.  If  this  inversion-parity  invariant  is 
maintained  then  all  the  in  put- la  Ire  Is  corrupted  by  a  single  iuterual- fault 
uniformly  result  in  all  state  codes  in  the  faulty  machine  monotonicallv 
increasing  or  monotonicall)  decreasing  but  not  both.  Thus,  a  single 
fault  could  not  lead  to  the  swapping  of  state  codes  required  to  produce 
an  isomorphism  SRF.  For  example,  a  a-a-0  fault  might  result  in  the 
next -state  logic  in  the  faulty  machine  producing  state  code  <  001  > 
rather  than  <  101  >.  but  the  same  fault  could  not  also  cause  the  next- 
state  logic  in  the  faulty  machine  to  produce  state  code  <  101  >  rather 


also  NP-cowpfrte  *len  the  input  circuit  >*  accompanied  by  a  FSM  description.  The 
sequential  lest  generation  problem  is  ciearh  NP-hard.  and  as  any  test  sequence  for 
a  fault  is  bounded  by  the  site  of  tlie  input  FSM.  a  lest  sequence  may  be  verified  in 
polynomial  time  by  a  fault  simuiator.  Thus  the  sequential  lest  generation  problem 
is  also  contained  in  NP. 


than  <  OUJ  >.  The  niversiou-paril)  invariance  i*  natural))  produced  b\ 
a  number  of  current  synthesis  procedure*,  Clear)}  interna)  fault*  m  a 
two-level  combinational  network  are  inversion-parity  invariant  becau*«- 
all  inverters  are  on  the  primary  input*.  Similar)),  circuit*  obtained  \ia 
algebraic  factorization  from  two- level  networks  may  also  be  directly  e\. 
pressed  such  that  all  their  inverters  are  on  the  primary  inputs.  Q.E.D. 

The  above  theorem  doe*  not  hold  for  FSM*  implemented  In  gen¬ 
eral  multi-level  networks,  nor  for  FSM*  with  Stale  Transition  Graph* 
(STGs)  with  fewer  than  2‘  stale*,  where  »»  i*  the  iiuiuIkm  of  lawli.-* 
in  t  be  machine,  in  Section  5  we  define  the  notion  of  fault -effect  dr- 
join  lues*  which,  when  applied  in  a  «vnlhe*i«  ptocednte.  ran  gwaiam.* 
the  complete  testability  of  a  geneial  sequential  circuit  b)  ensuring  that 
each  faulty  stale  has  an  uncorruptible  different  tat  ing  sequence.  We  now 
proceed  to  discuss  techniques  for  the  elimiiiatiou  of  j>art icular  SHF*. 

4.2  Eliminating  Invalid-state  SRFs 

To  eliminate  these  SKFs.  it  i*  sufficient  to  use  codes  corresponding  to 
invalid  stales  as  don't  cares  during  logic  optimization.  An  invalid-stair 
SRF  is  due  to  the  sub-optimal  usage  (or  no  usage)  of  these  don't  care*. 
These  redundancies  will  not  exist  if  the  combinational  logic  is  made 
trredundant  under  this  don't  care  set. 


4.3  Eliminating  Isomorphism  SRFs 

There  are  many  ways  of  ensuring  that  isomorphism  does  not  occur  due 
to  fault*  in  sequential  circuit*.  Isomorphism  due  to  a  fault  i*  e**enri*Ilv 
due  to  a  sub-optimal  state  assign  went.  The  new  encoding  corresponding 
to  the  isomorph  represents  a  better  machine  (one  with  the  redundant 
line  removed).  A  local))  optima)  state  assignment  across  an)  given 
set  of  stales  can  ensure  that  isomorphism  doe*  not  occur  in  muff 
circuits,  across  this  set  of  state*.  It  i*  worthwhile  to  note  that  optimal 
state  assignment  conespond*  lo  i lie  opiimal  usage  of  don’t  cate*  -  him 
does  not  care  what  the  code*  of  the  diiteieiil  slate*  aie  so  long  a*  i  h< 
are  di*t  met . 

Two-level  realization*  and  algebraic  factorization  also  eliminate  i|t. 
possibility  of  isomorphism  SRI  *  (bv  the  argument*  used  in  Iheoutn 
4.1). 

4.4  Eliminating  Equivalent-state  SRFs 

Equivalent  -state  SHI*  are  related  i<>  equivalent  valid 'valid  and 
valid /t  n  valid  stale  pair*  a  sequent  ia  I  mar  him-.  Given  a  tednred  mac  him 
a  fault  that  corrupt*  a  single  edge  going  to  a  fault),  but  \ ahd.  *t at.  « 

Dot  be  responsible  for  a  SHI  .  since  all  valid  slate*  ate  di*t  ingm*|i«<1 
Thu*,  au  initial  state  mimmizaiion  will  piecln<l»  the  omittem*-  <•'  i- •. 
SRF  of  the  foi  m  in  Figure  2l  a  ).  Ilowevei .  we  mav  have  a  cave  w  hen  t  It. 
fault  result*  in  a  invalid  next  state  that  i«  equivalent  (oi  become*  equiv¬ 
alent)  to  the  true  next  stair.  1  hi*  i*  illust rated  in  Figitic  3.  We  lmv« 
the  true  STG  in  Figure  3(a).  iliat  i*  state  mimmal.  The  invalid  state 
«4's  code  has  been  used  a.*  a  don’t  care  and  s4  i*  equivalent  to  state  *J 
after  logic  minimization  under  this  don't  care  condition  A  fault  could 
result  in  Hie  scenario  shown  in  Figure  3(b).  where  a  single  comipied 
fdg*  whose  true  next  stale  is  *2  produce*  a  fault)  nex  state.  *4.  1  he 
fault  i*  redundant.  Equivalent- state  SRI*  due  to  these  valtd/iuvahd 
state  pan*  po*e  majoi  dilficuli  ie*  for  tesiabilit  v-drtven  sv  ut  he*i*  ami  we 
devote  the  remainder  of  the  paper  to  discussing  a  spectrum  of  technique* 
that  eliminate  them. 

5  Distinguishing  Sequences  and 
Equivalent-State  SRFs 

The  most  general  paradigm  for  III-  elimination  of  f<|uixaleul-stale  SHI', 
is  to  ensure  tltsl  for  far  Ii  faull  >  /fault-free  slate  |>ait  produced  by  a  fault . 
at  least  one  different tal ing  sequences  exists  xvlncli  is  not  destroyed  bx 
that  fault.  This  is  a  necessary  and  stiflirient  condition  and  xvltile  obxiont. 
we  encapsulate  it  in  the  following  observation. 

Theorem  5.1  :  Gum  a  ii^.rntial  marhini  ini'  no  rombniationallji 
rtfandanl  /null*,  inralirt-ltoh  SHFi  or  isomo-yinrsin  SR  Ft.  if  for  inch 
/«»!( in  lh<  maehint  at  trail  nnr  (potiikl)  maltiilr-irrtor)  iiffenatiatniri 
•rynmrr  for  at  trail  oik  faaltp/faalt.fru  «f  t  <  fair  p  rod  an  4  kt  a  faall  in 
tkr  mark  III  r  it  ntainril  in  .pit  t  of  tki  fat  i.  lira  Ikr  naalimp  arfacabaf 
marline  it  fall f  tillable . 

There  are  two  conditions  under  which  a  different ial ing  aerinence  is 
retained.  The  find  is  that  the  fault  which  produces  the  fault x  /fault -free 
pair  does  in  facl  corrupt  the  diflerettliafiiig  sequence,  bin  the  Irehaxior 
of  the  faulty  machine  is  still  distinguishable  from  the  good  machine,  for 
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Figure  3:  A  Complex  Equivalent  Stale  SRF 


instance.  sa\  two  states  91  and  q2  o’i  receiving  the  input  1  j  produce  out¬ 
puts  Oj  and  o2  respectively.  if  appears  as  a  faulty/fault-free  state 
pair  due  to  a  fault.  /.  then  /  may  corrupt  o\  to  o/.  The  different1  at ing 
input  i]  is  still  retained  if  0/  ^  o2.  This  condition  is  discussed  in  Sec¬ 
tion  5.4.  The  second  condition  for  retainment  is  that  /  does  not  corrupt 
o,.  or  more  generally  that  any  fault  which  creates  an  faulty/fault-free 
state  pair  doe*  not  corrupt  the  differentiating  sequence  for  that  state 
paii.  \Ve  cii«cu«  this  in  the  following  sections. 


5.1  Fault-Effect  Disjointness 

The  elimination  of  equivalent-state  SRFs  is  ensured  when  differentiating 
sequences,  for  possible  fault) /fault-free  state  pairs  produced  due  to  a 
fault,  are  uncorrupted  by  that  fault.  These  sequences  may.  of  course,  be 
corrupted  l»  other  faults.  Thi*  is  accomplished  by  defining  the  notion 
of  fault -effect  disjoint  ne*«  ( FE-di*ioi  ntness)  between  a  pair  of  edges  and 
applying  it  to  combinational  network*. 

Definition  5.1  Ou  t  11  a  ISM  M.  a  5  7  G  G  representing  M  and  a 
lnqic-1*  1  d  imph  1111  nlation  L  of  M  .  a  fault  f  is  said  to  perturb  an  inpul. 
Inbd  m  of  an  <dqr  1  in  ( \  iff  t/if  fault  in  L  ransts  flu  input- lab<  i  fr  Ac 
remoctd  fivm  f  (and  mored  in  anolhi  r  edgr). 

Every  fault  that  perturbs  an  edge  corrupts  the  edge,  but  a  fault  may 
corrupt  an  edge  without  changing  the  fanout  state:  whereas  every  fault 
that  perturbs  an  edge  changes  the  fanout  state. 


Definition  5.2  ;  Given  a  FSM  M  and  a  STG  G  rfprrsnilwg  M .  a 
logic -If  r<  I  imple  limitation  L  of  M .  and  U  ro  input. labels  Wi  and  m2  of 
tun  <dg<*  f  j  and  tit  G.  the  tun  lain  Is  w j  and  wj  art  said  to  bt  FE- 
d  ts  joint  01  rr  a  sft  of  faults  F  €  L  if  no  fault  in  F  corrupts  both  »»j  and 
w2. 


Based  on  FE-disjoi ntness  alone,  we  can  define  a  general  procedure 
that  produces  fully  testable  sequential  machines. 

Theorem  5.2  ;  If  each  of  iht  input-labels  in  at  least  one  /possibly 
mulhplt  •rector)  diffe  re  ntiating  sequence  of  at  least  one  faulty/  fault -free 
state  pair  produced  by  a  fault  in  the  machine  are  made  FE- disjoint  from 
the  input-label  whose  perturbation  caused  the  faulty /fault- free  state  pair, 
then  the  resulting  sequential  machine  is  fully  testable. 

Proof:  Since  at  least  one  differentiating  sequence  for  a  faulty/  fault- 
free  pair  that  is  produced  due  to  a  fault  is  uncorrupted  by  the  fault, 
traversing  the  in  put-  la  be  Is  in  the  differentiating  sequence  will  detect  the 
fault  at  the  primary  outputs.  Q.E.D. 

The  following  points  are  worthy  of  note: 

1.  Possible  faulty  /fault-frwe  pairs:  An  extreme  case  corresponds 
to  a  (atilt  resulting  in  all  possible  pairs  of  states  becoming 
faulty  /fault-free  state  pairs.  However,  depending  on  the  type  o! 
implementation,  the  effect  of  a  fault  varies.  For  example,  internal 
faults  in  a  two- level  or  algebraically  factored  network  uniformly 
produce  a  0  instead  of  a  1.  or  a  I  instead  of  a  0  at  the  outputs  they 
are  propagated  to.  Logic  partitioning  can  restrict  the  set  of  outputs 


a  fault  can  bp  propagated  to.  in  two- lev  el  or  general  mult  i-h»\W  net¬ 
works.  Synthesis  procedures  ran  be  characterized  In  restrict  ion*>  tm 
faulty/fault-free  state  pairs  that  can  occur,  placed  via  constraints 
on  logic  optimization. 

2.  State  assignment:  Stale  encoding  controls  what  symbolic  Mai e* 
are  produced  as  faulty  /fault-free  |>air*.  C  onstrained  state  assign 
men  I  can  be  used  in  conjunction  with  logic  optimization  to  rest  rid 
what  symbolic  states  can  appear  a«  fault  y /fault-free  slate  pair*. 
We  do  not  explore  this  approach  further  in  this  paper. 

3.  Obtaining  FF^- disjoint  ness:  For  any  fault  /.  a  valid/invalid  star* 
pair  is  first  activated  by  an  input  in  a  particular  state.  1.1.  by  an 
input-label.  Each  of  our  procedures  ensures  that  the  fault  /  which 
perturbs  the  input-lal>el  m,  and  produces  the  valid/invalid  state 
pair  does  not  also  corrupt  the  differentiating  sequence  ( <  .g.  m2\ 
for  the  invalid/valid  stale  pair.  Thi«  is  ensured  by  making  the 
input  labels  i»j  and  t»2  FE-disjoint.  There  are  several  method* 
of  obtaining  FE-disjoint  ness  for  a  pair  of  input -labels  over  a  fault 
in  a  FSM  implemented  by  two-level  or  multi-level  combinational 
logic:  different  methods  are  characteristic  of  different  synthesis  ajv 
proaches.  For  example,  partitioning  the  output  and  next  state  iogir 
in  a  sequential  machine  ensures  that  the  output  of  a  faulty  stair 
(produced  by  a  fault  in  the  NSL  block)  is  not  corrupted  by  the 
fault.  Optimal  usage  of  don't  cares  represents  another  technique 
to  ensure  FE-disjoi  ntness. 

4.  Multiple-cycle  differentiating  sequences:  In  general,  differen¬ 
tial  ing  sequences  for  a  given  pair  of  slates  may  have  lengths  great  ei 
than  1.  In  this  case,  we  require  the  input-label  »n,  which  acti¬ 
vated  the  fauliy/fault-free  state  pair  to  oe  FE-disjoint  from  each 
of  the  input-labels  m2...m\  corresponding  to  t  he  differentiating 
sequence  for  the  faulty  stale. 

We  will  now  show  how  previously  proposed  synthesis  procedures  ran 
be  viewed  as  different  approaches  to  insuring  t lie  invariant  given  in 
Theorem  5.2.  In  Section  5.2  we  consider  procedures  (hat  en«mc  FI 
disjointness  through  a  highly  restricted  implementation.  J  hi*  procedure 
has  the  advantages  that  it  is  computationally  inexpensive  ami  the  time 
for  generating  tests  for  the  resulting  logic  is  also  reduced  (see  Section 

5). 

In  Section  5.3  we  show  that  FE-disjoint  ness  ran  be  maintained  in 
tw-o. level  circuits  by  modifying  the  initial  Boolean  covei  lit*  I  I 
disjoint  lies*  invariant  can  then  be  further  retained  in  a  mult  i. level  im¬ 
plementation  by  constraining  the  algebraic  factot izaliuu  of  the  tuo- lev.  | 
implementation.  The  resulting  implementation  lias  significantly  few  it 
restrictions  than  the  implementation*  resulting  from  tin*  conn  1  aim 
bests  ptocednies  described  in  Section  ">.2  and  ibi*  Jesuit*  m  sma)>>  1 
implementations  (see  Section  The  procedures  based  on  covering  and 
factorization  also  have  many  degrees  of  freedom  in  their  application. 
They  may  be  applied  so  a*  to  minimize  computation  time  with  tin 
potential  for  an  inferior  implementation  or  they  may  be  applied  so  as 
minimize  the  size  of  the  implementation  at  greater  computational  cost. 

Finally,  in  Section  5.5  we  discuss  a  procedure  that  achieves  an  optimal 
implementation  by  iteratively  removing  SRFs.  Such  an  approach  mam- 
tains  the  FD-disjo: nhiess  invariant  as  well.  From  the  results  in  Section 
fi  we  see  that  this  approach  is  the  most  computationally  expensive  but 
also  produces  the  smallest  logic. 


5.2  Constrained  Synthesis  Procedures 

Tlw  procedure  of  |7]  adds  edges  to  I  lie  initial  STG  specification  to  raise 
the  number  of  state,  ill  the  STG  to  2".  where  n  is  the  number  of  latrhe. 
in  llie  machines.  Thus,  no  invalid  states  exist  in  the  machine.  If  the 
added  pseudo-valid  stales  are  not  equivalent  to  the  other  stales  in  the 
machine,  then  by  Theorem  4.1.  full  testability  is  obtained  in  a  lwo-le\el 
or  algebraically  fartored  multi-level  implementation.  The  procedure 
ensures  full  oitrf  easy  testability  in  a  general  multi-level  logic  implemen¬ 
tation.  via  constrained  state  aasignment  and  logic  partitioning.  3  The 
synthesised  machine  is  easily  testable  in  the  sense  that  the  length  of  a 
differentiating  sequence  for  any  possible  faulty/fault-free  slate  pair  is 
limited  to  1. 

In  Figure  4.  the  archilerture  used  by  the  proeedttre  for  a  Mealy  ma¬ 
chine  is  shown.  Each  of  the  next  stale  (NS)  lines  has  been  realised  a« 
a  separate  circuit.  Tbr  constraint  on  the  state  aasignment  is  that  any 
pair  of  states  that  cannot  be  drstinguiahed  via  a  single-vector  sequence 
be  given  codes  at  least  of  distance-2.  We  state  the  following  theorem 
to  pul  the  procedure  of  [7]  in  context  of  FE-disjointness  and  Theorem 
5.2.  Only  internal  faults  are  considered  ainee  PI/PS/NS/PO  faults  are 
testable  by  Lemma  4.1. 


*bi  tin.  procedure  «  tor  site  optimal  .1*1.  assignment  i.  not  required  for  full 
testability  in  a  general  multi-level  hnptai»etitai 
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Figure  4:  Architecture  of  Partitioned  Meah  Mcchin? 


Theorem  5.3  :  Tin  procedure  of  ft]  results  m  a  machine  where  all 
possible  fault  y/fautUfree  staff  pa  tvs  <iu<  to  an  internal  fault  hare  differ- 
entiaUug  sequences  of  length  J.  Ihat  an  FE-disjowl  from  the  input-label 
uhcsi  p(  vturbalton  caused  1h(  faulty  state. 

Proof;  An  internal  fault  in  t he  OL  block  can  onl\  be  propagated  to  the 
POs  and  ihu«  cannot  cattle  a  fault \  state.  Wiihout  loss  of  generality, 
consider  a  fault  in  1st  NS  line  partition.  Since  t he  combinat ional  logic  is 
irredundant.  an  input-label  and  present  state  exist  that  propagate  the 
effect  of  the  fault  to  the  1st  NS  line.  Therefore,  t lie  fault.'  stale  will 
differ  from  the  t  rue  state  in  the  1st  bit  alone.  The  stale  encoding  is  such 
that  the  fault' /fault-free  slate  pair  possesses  a  differentiating  sequence 
of  length  1.  The  partitioning  of  the  OL  and  NSL  blocks  guarantees 
F£-di«dointne*«  of  the  differentiating  veciot  ftotn  the  input-label  who«* 
perturbation  caused  the  fault  \  /fault-free  st  at  e  pail  Q.E.D. 

Note  that  this  theorem  in  conjunction  "ith  Tiieoiem  5.2  ensures 
full/ea.s'  testability  foi  the  <u»tbesi7ed  FVM. 

The  constrained  synthesis  procedure  that  we  presented  here  main¬ 
tains  fault-effect  disjointness  at  a  considerable  area  penalty.  In  the 
following  sections  we  present  procedures  (hat  aie  less  restrictive  on  the 
optimization  stej>s  in  synthesis. 

5.3  Retaining  FE-Disjointness  Through  Covering 
and  Factorization 

5.3.1  Fully  Testable  Machines  with  Two-level  Logic  Imple¬ 
mentations 

The  noiiuii  of  fault-effect  disjoint  ness  ( FE-dis joint  ness)  ran  be  applied 
to  two-level  logir  minimization  in  order  to  produce  two-level  combina¬ 
tional  logir  networks  implementing  FSMs  that  are  fully  testable.  The 
procedure  described  here  i«  primarily  concerned  with  differentiating  se¬ 
quences  of  faulty  fault-free  stale  pairs.  These  pairs  are  such  that  the 
faulty  slate  is  an  invalid  slate,  since,  by  the  arguments  of  Theorem  4.1. 
if  only  valid  states  are  produced  as  faulty  stales,  full  testability  can  be 
obtained  via  a  standard  minimization  strategy.  Also,  we  will  be  deal¬ 
ing  only  with  internal  faults  in  the  network;  Lemma  4.1  guarantees  the 
unconditional  testability  of  primary  input,  present  state  fine,  next  stale 
line  and  primary  output  tturk-at  faults. 

The  strategy  used  here  modifies  the  logic  minimization  process  using 
the  invalid  stales  a«  don’t  cares,  so  for  each  invalid  state  it>  the  following 
conditions  are  satisfied. 

1/r  is  not  required  to  detect  any  bull  F  in  the  machine  S. 

2.  Jr  is  distinguishable  from  any  valid  slate  in  a  specified  number 
( >  1 ) i  of  stale  transitions  or  ip  never  appears  as  a  faulty  next  stale, 
tirat  is  equivalent  to  the  true  next  state. 

The  goal  of  the  minimization  procedure  is  to  satisfy  Conditions  1  and  2 
mid  produce  an  area-minimal  logir  circuit.  The  prime  implicant  genera¬ 
tion  ami  covering  steps  Ihat  are  basic  to  two-level  Boolean  minimization 
are  modified  to  this  end. 

We  now  apply  live  notion  of  FE-disjointness  to  two-level  networks. 


Figure  5:  Moore  and  Mealy  Finite  State  Machines 


Definition  5.3  .*  .4  Dislniicf-k-priiiie-rnbe  (D-k-prime-rubf  j  of  II 

prime  cnfic  run  rvbi  that  lion  (Tartly  1h(  variables  of  c  nnrf  a  J  { t'J  m 
eractly  k  positions  wlun  c  hat  a  0  (J).  in  imp  combination 

It  is  only  meaningful  to  talk  about  a  D-k-prime-cnhe  relative  to  :  pat- 
ticular  prime  cube,  but  whenever  the  prime  cube  that  is  being  referred 
to  is  unambiguous  we  will  use  the  term  D-k.pi  ime-rubr  to  abbreviate 
D-k-priine-rvbi  rtlatire  1o  a  prime  cubi. 

Lemma  5.1  ;  Corn  M.G  mid  n  1no.lt  it  I  iniph  limitation  of  T  of  )l 
mid  a  Singh  tnhrnal  foull  f  m  T  Ihat  ptrlttrli s  on  inpnl-lahtl  in  of  on 
fdgi  <  m  (t .  if  f  it  n  s-a-0  fault  on  Iht  output  of  on  4  .V  L)  quit  y  of  I 
thru  in  is  canlatind  inlhtn  Iht  prinir  citht  ewer  rati  d  tilth  y.  ontt  if  i 
a  s-a-l  {mill  on  Hit  input  of  on  AXD  gott  g;  of  7  that  in  is  ronlmntd 
within  o  D- J-priine-rnhi  relative  toy,. 

Proof;  First .  observe  I  hat  we  can  collapse  the  internal  faults  in  a  two- 
level  network  to  s-a-l  faults  on  the  AND  gate  inputs,  s-a-0  faults  at  AMI 
gale  outputs  and  s-a-0  faults  at  OR  gate  inputs.  S-a-l  faults  at  AND 
gale  outputs  and  OH  gate  inputs  are  equivalent  to  single  or  multiple 
PO  s-a-l  faults.  S-a-0  faults  at  AND  gate  inputs  are  equivalent  to  the 
corresponding  s-a-0  fault  at  the  AND  gate  output. 

Suppose  /  is  a  s-a-0  fault  at  the  out  pul  of  an  AND  gate  g,  *)o  priiir  l> 
in.  /  must  cause  in  to  move  to  anolhei  edge  t ,  .  Only  those  input. label- 
contained  wit  bin  t  he  prime  rube  associated  wit  It  will  In-  ailed.  1 1  In 
(lie  s-a-0  fan  It.  thn<  m  is  rontninril  nilhin  I  he  piinie  rnlic  associated 
with  y,.  Note  that  assuming  complete  oliservability  of  all  outputs  and 
next-state  lines  one  ran  view  m  as  a  lest  vector  foi  /. 

By  a  similar  argument,  for  an  input  label  in  to  be  affected  by  a  s-a-ti 
fault  /  on  an  OH  gale  input,  m  must  be  contained  within  the  pmne 
rube  associated  with  the  gale  g,  that  fans  out  to  the  affected  OH  gate 
Thus  the  set  of  input  labels  perturbed  by  a  s-a-0  fault  on  an  OH  gate 
input  that  is  fed  by  an  AND  gale  g,  will  always  be  a  subset  of  the  input 
labels  affected  by  a  s-a-0  fault  on  the  input  (or  output )  of  y,. 

Suppose  /  is  a  s-a-J  fault  at  the  input  of  an  AND  gate  .  ’|o  perl  mb 
m.  f  must  rause  in  to  move  to  another  edge  1 1 .  Only  those  input 
labels  contained  within  the  D-l-prime-cube  relative  to  the  prime  cube 
associated  with  p;  will  be  alfecled  by  (he  s-a-l  fault.  (|m«  in  is  contained 
within  the  D-l-prime-cube.  As  before,  assuming  complete  observability 
of  all  outputs  and  next-slate  lines  one  ran  view  m  as  a  lest  vector  for 

/  Q.E.D. 

We  can  state  a  theorem  regarding  sufficient  conditions  for  two  edge 
labels  to  be  FE-disjoint  over  s-a-0  or  s-a-l  internal  faults  in  a  two-level 
network. 

Theorem  5.4  :  O'rcrs  M .  G  mid  T  no  abori  two  enpat-labels  in,  and 
»nj  are  FE-disjaint  oner  internal  s-a-0  (s-a-l)  faults  in  a  two.  hr  (I  ml. 
work,  if  oik  of  thf  following  conditions  is  satisfud: 

J.  nit  and  uiq  tier  not  both  rotitaimd  in  any  prune  (not  both  ronlmntd 
in  sup  D-) -prune. ctsbt)  in  T. 

t.  nit  and  in j  arr  both  rontainrd  in  a  prinir  p(  for  in  a  O-l-prinn. 
eekr  of  a  prinir  pj).  and  tii|  or  nij  is  rontainrd  in  aoim  othir 
prime  pj  that  atarrla  Ibt  aamr  oaf  puts  as  Ur  prinir  pt  for  pi). 

Proof:  First,  consider  Condition  I.  By  Lemma  5.1.  for  an  input-label 
to  be  perturbed  by  a  s-a-0  fault  it  must  be  contained  in  the  prime 
cube  associated  with  the  faulty  gate.  Similarly,  for  an  input-label  to  be 
perturlied  by  a  s-a-l  fault  it  must  be  contained  in  the  D-l-prime-cube 
associated  with  the  faulty  gale.  Thus  for  two  inptil-laltels  to  both  hr 
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corrupted  by  a  given  s-a-0  (s-a- 1 )  fault  they  must  both  be  contained 
within  the  same  prime  cube  (D-l-prime-cube).  If  this  condition  is  not 
met  then  no  fault  can  simultaneous!)  perturb  both  edge  labels. 

Next,  consider  Condition  2  If  F  is  at  the  input  l  of  an  AND  gate,  for 
F  to  truly  perturb  an  input-label  m  no  other  AND  gate  feeding  the  OR 
gate  asserting  the  PO,  can  have  a  1  at  its  output  on  in.  This  implies 
that  if  m  is  perturbed  by  F.  for  each  PO  fed  by  y,.  t he  input-label  w 
cannot  be  contained  in  any  of  the  primes  corresponding  to  tile  other 
AND  gates  feeding  the  PO.  Tims,  the  input-labels  perturbed  by  F  are 
restricted  to  those  that  serve  as  primalitv  tests  for  l  in  p\.  Consider  a 
s-a-0  fault.  F .  at  the  output  of  an  AND  gate  y2  and  associated  prime 
p2.  For  F  to  perturb  an  input  label  m.  no  AND  gate  feeding  the  same 
OR  gafets)  as  g2  can  have  a  1  at  its  output  on  m.  This  implies  that  if »» 
is  contained  in  a  prime  asserting  the  same  outputs  as  g2.  it  will  not  be 
perturbed  by  F.  Thus,  the  input-labels  perturbed  by  F  are  restricted 
to  those  that  sene  as  irredundanry  tests  for  pj.  Q.E.D. 

We  now  define  a  procedure  that  produces  a  fully  testable  Moore  ma¬ 
chine.  under  the  architecture  of  Figure  5(a). 

1.  The  OL  block  is  minimized  with  the  invalid  states  used  as  don't 
cares,  attempting  to  make  sure  that  a  maximal  number  of  invalid 
states  produce  different  output  combinations  from  all  or  a  maxima) 
number  of  valid  states.  If  all  invalid  st  ates  produce  different  outputs 
from  each  of  the  valid  states,  unconditionally  minimize  the  NSL 
block  and  exit.  (Two  invalid  states  are  allowed  to  produce  the 
same  output ). 

2.  For  each  invalid  slate  »>j.  find  t lie  set  of  valid  states 
Qk  —  qL. j.  ..  m  vt  that  assert  the  same  output  combination  as 
the  invalid  state,  and  such  that  ivy  D  qi3  or  qi}  D  ivy. 

3.  Perform  a  two-level  Boolean  minimization  on  the  logic  of  the  NSL 
block,  meeting  the  following  conditions: 

(a  i  1  *e  the  invalid  stales  as  don’t  cares  foi  all  primary  input  val¬ 
ues. 

(b)  For  each  invalid  state  iry.  ensuie  that  1  here  exists  a  PI  vector 
iij  that  distinguishes  iv2  and  q2j  €  Qi .  J  <  j  <  A*.  Thai 
is.  iij  produces  different  next  stales  for  ir*  and  qi,.  such  that 
the  next  stales  assert  different  output  combinations,  via  an 
appropriate  selection  of  primes.  Also,  the  vector  pairs  corre¬ 
sponding  to  r  €  fouhtfqij)  and  /»7  Cl  ivy  are  constrained  to 
be  FE-disjoini  over  (each  individual  fault  in)  the  s-«-0  (s-a-1) 
internal  faults  in  the  network  corresponding  to  the  cover  if 
qij  D  Mi  (;*•*  3  qij).  via  an  appropriate  selection  of  primes 
that  satisfy  the  condition*  of  Theorem  5.1. 

Theorem  5.5  .  If  the  proctHnn  abort  completes  successfully.  if  pro - 
Hoc (s  o  fully  testable  Moon  wachnif. 

Proof:  Faults  in  tlieOL  block  can  be  detected  by  just ificat ion  sequences 
to  the  appropriate  valid  states  that  propagaie  the  fault  to  t lie  POs. 

Consider  an  internal  fault  F  in  the  NSL  block.  If  F  results  only  in 
faultv  next  states  that  are  valid  stales  or  invalid  stales  asserting  different 
output  combinations  from  t he  true  valid  slate,  then  F  is  testable.  We 
l»a\e  to  consider  the  possibility  of  F  resulting  in  a  fault)  /fault-free  slate 
pair  that  corresponds  to  an  invalid-valid  state  paii.  namely  it*. 
which  both  assert  the  same  output  combination. 

Since  F  is  an  internal  fault,  it  can  only  monotonic  ally  increase  the 
fault)  state  bits  or  monoionically  decrease  them  [c.f.  Theorem  4.1). 
Therefore,  r «*|  D<ji}  or  qi3  D  >*>.  We  can  thus  discard  faulty/fault-free 
state  pairs  that  do  not  satisfy  these  conditions  at  Step  2.  If  ivy,  qi-j 
appeared  as  a  faulty/faull-free  pair,  it  means  (hat  r  €  foniu{qyj)  was 
corrupted  to  ivy,  instead  of  qir  If  qi3  O  »i*i.  then  it  means  we  are 
dealing  with  a  s-a-0  fault.  Then,  a  differentiating  vector  it)  for  »»>•  qt3 
will  not  have  been  corrupted  since  n}  »ti  and  r  are  FE-dis joint 
over  the  s-a-0  internal  fault  set.  We  can  similar!)  argue  the  s-a-I  case. 
Thus,  we  can  detect  F  in  the  next  state  transition,  via  the  uncorrupted 
differentiating  vector  for  ivy,  qkj.  Q.E.D. 

The  procedure  is  easily  extended  to  the  Mealy  machine  case  (Fig¬ 
ure  5(b)).  The  procedure  to  produce  a  fully  testable  Mealy  machine  is 
similar  to  the  Moore  machine  procedure,  except  that  during  the  mini¬ 
mization  of  the  OL  block,  we  can  make  choices  as  to  what  vectors  can 
be  used  to  distinguish  the  invalid  and  valid  states,  while  maintaining 
primalitv  and  irred lindane v  of  the  OL  block  cover.  During  the  min¬ 
imisation  of  the  NSL  block,  we  effectively  ensure  for  state  pairs  that 
do  not  have  a  differentiating  vector  that  a  two- vector  differentiating  se¬ 
quence  for  the  pair  is  uncorrupted,  if  the  two  states  are  produced  as  a 
faulty  /fault-free  pair. 

Finailv.  the  procedure  can  be  extended  to  synthesize  Moore  or  Mealy 
machines  under  the  lumped  architecture  of  Figure  1(a).  In  this  case,  we 


have  more  FE-di«  joint ne*s  constraint*,  since  we  have  to  ensure  that  tin- 
output  asserted  bv  an  invalid  state  (under  some  primary  input  combi¬ 
nation)  is  uncorrupted  if  the  stale  i«  produced  as  a  fault)  state.  If  the 
output  is  not  distinct  from  the  output  produced  by  the  true  slate,  then 
the  next  state  of  the  faulty  state  has  lo  satisfy  the  condition  described 
ill  Step  3(b)  above. 

5.3.2  Fully  Testable  Machines  with  Multi-level  Logic  Imple¬ 
mentations 

We  wish  lo  extend  the  results  of  the  previous  section  to  multi-level  im¬ 
plementation*  A*  before  the  paradigm  followed  i *  to  ensure  lhai  Un¬ 
differentiating  sequences,  for  possible  faulty /fault-free  stale  pairs  pro¬ 
duced  due  to  a  fanh  ,  are  uncorrupted  b\  dial  fault.  Tiiis  is  arcompli*hed 
by  applying  the  notion  of  FE-disjoi lit  ness  between  a  pair  of  edges  io 
multi-level  combinational  networks.  Guaranteeing  F E-d is ioi nines*  be¬ 
tween  two  input-labels  is  more  complicated  in  a  multi-level  implemen¬ 
tation  than  in  a  two-level  implementation.  This  is  due  to  the  fact  ihaf 
a  single  fault  in  a  multi-level  implementation  may  be  equivalent  to  a 
multiple  fault  in  a  two-level  network.  To  simplify  things  we  restrict  our 
consideration  to  those  multi-level  networks  that  are  the  result  of  an  al- 
ebraic  factorization  [4]  of  a  prime  and  irredundant  two-level  network, 
bifortunately.  space  limitations  make  a  review  of  key  logic  syndic*** 
concepts  such  as  cube,  kernel,  kernel-cube  and  factor  impossible,  but 
[3]  gives  a  good  treatment  of  these  ideas.  Recently,  it  was  shown  in  [Oj 
that  each  single  internal  fault  in  an  multi-level  implementation  that  wa* 
algebraically  factored  from  a  prime  and  irredundant  two-level  neiwoik 
is  equivalent  to  a  multiple  interna!  fault  in  the  two-level  network  In 
particular,  it  can  be  shown  that  any  single  internal  s-a-0  (s-a-1)  faidi  in 
an  algebraically  factored  network  is  equivalent  to  a  s-a-0  (s-a-1)  multi¬ 
ple  fault  in  the  associated  two-level  network.  We  therefore  begin  widi 
perturbation  conditions  for  input -labels  under  a  multiple  fault  in  two- 
level  networks,  and  then  apply  these  results  to  algebraically  factored 
networks. 

Lemma  5.2  .  (riven  M.  (•  ewH  7  ns  n>  Lemmn  .?.]  anH  n  mult/ph 
s-a-0  internal  foul /  /  in  T.  if  f  perturbs  on  input-labe  I  in  in  ( >  th<  r 
(very  pnw<  in  winch  m  is  containeH  must  hart  been  afftdeH  by  fin 
fottll.  Furl  Ik  rni  on .  fbof  peiiurbahon  rousts  souk  nert-state  i  anahh 
ihoi  formerly  nos  J  lo  be  conn  0. 

Proof:  The  effect  of  an  internal  *-a-0  fault  on  a  prime  i«  to  remove 
that  prime  from  (lie  cover.  The  effect  of  a  number  of  internal  s-a-0 
faults  is  to  remove  each  affected  prime  from  the  covei.  These  misting 
primes  affect  the  network  in  a  predictable  way:  If  all  the  prime*  that 
covered  an  input-label  are  missing  then  dial  input-label  which  forme*  Jy 
resulted  in  some  next-state  oi  primary  output  variables  having  the  value 
1  now  result*  in  those  same  variable*  having  the  value  0.  If  ne\t-*ia». 
variables  are  affected  I  ben  die  input-label  i«  perturbed.  Note  that  ii  i*- 
necessary  for  all  primes  covering  an  input-label  to  Ik  affected  befoie  the 
iliput-label  perturbed.  Q.E.D. 

We  wish  to  use  this  lemma  to  arrive  at  conditions  for  input-labels  to 
remain  FE-disjoini  in  t lie  presence  of  a  single  internal  s-a-0  fault  in  an 
algebraically  factored  multi-level  network. 

Theorem  5.6  .  (lire  it  M.  C  anH  T  as  above,  lei  A  b<  on  algebraic 
factorization  of  T .  Let  tu,  anH  m2  frr  two  inpul-labi  Is  of  C  anH  Id  l\ 
be  the  set  of  all  primes  of  T  that  cover  m\  anH  hi  P2  be  tin  si  1  of 
all  primes  of  T  that  cover  in*.  The  tuo  input-lobe  Is  m,  anH  m2  in  (» 
are  FE-Hisjoml  over  internal  s-a-0  faults  in  A.  if  both  ru,  anH  m»  ore 
not  contannH  in  any  single  prime  cube  in  J  anH  no  factor  ertracUH  in 
the  factorization  of  A  contains  cubes  common  to  every  prime  tn  /',  anH 
every  prime  in  P2. 

Proof :  That  both  t»»  and  m2  are  not  contained  in  any  single  prime 
cube  in  T  is  simply  restating  the  condition  of  Theorem  5.4.  Note  that 
this  condition  implies  that  P\  and  P2  are  disjoint.  By  Lemma  5.2.  in 
order  for  a  s-a-0  fault  to  perturb  »nj.  it  must  affect  every  prime  in 
and  similarly  in  order  for  a  s-a-0  fault  to  perturb  »»2  ii  must  affect  every 
prime  in  Pj.  4  If  a  single  s-a-0  internal  fault  in  A  perturb*  nij  and  m2 
when  the  fault  is  applied  and  A  is  collapsed  to  two-levels  (the  inverse 
Operation  of  factorization),  then  every  prime  in  both  P\  and  P2  must 
have  been  affected.  For  this  to  occur,  during  factorization  there  must 
eit  her  be  some  cul>e  factor  c  such  that  c  is  a  sub-cube  of  every  prime  in 
both  Pi  and  or  there  must  be  some  kernel  factor  k  such  that  some 
kernel-cube  of  k  is  a  sub-cube  of  every  prime  in  Pi  and  everv  prime  in 
Pi  '  Q.E.D. 

Using  these  results  to  arrive  at  an  algebraic  factorization  A  in  which 
m  i  and  nij  are  FE-disjoini  with  respect  to  any  internal  s-a-0  fault  re¬ 
quires  first  building  sets  Pi  and  Pj.  During  cube  extraction,  a  cube 

4 Certainly,  primary  input  fault*  ran  produce  »ur|i  an  effen  but  auHi  faiilu  air 
taaih  delectable  by  ot  Iter  means 
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r  is  eliminated  from  consideration  as  a  factor  if  e  is  a  sub-cube  of  ev¬ 
ery  prime  in  P\  and  even  prime  in  Pi-  Jf  ibis  cube  were  a] lowed,  a 
s-a-0  fault  on  the  output  of  the  gate  associated  with  the  cube  could 
potentially  eliminate  all  primes  in  P}  anti  P2  and  as  a  result  perturb 
both  mi  and  uij.  During  kernel  extraction  (3].  a  kernel  k  is  eliminated 
from  consideration  as  a  factor  if  every  prime  in  P\  and  every  prime  in 
P2  contains  as  a  sub-cube  some  kerttel-culje  (it  need  not  be  the  same 
kernel-cube  in  each  case)  oi  i  If  this  kernel  were  allowed,  a  s-a-0  fault 
on  the  output  of  the  gate  associated  with  the  kernel  could  potential!) 
eliminate  all  primes  in  Px  and  Pi  and  as  a  result  perturb  both  m,  and 
in^.  All  ot  her  factor*  are  viable.  It  is  worth  noting  that  while  such  fac¬ 
tors  that  violate  the  FE-disjoint ness  condition  mav  exist,  they  appear 
to  be  highlv  unlike]). 

Characterizing  the  influence  of  s-a-1  faults  in  a  multi-level  network  is 
more  complicated  than  that  regarding  s-a-0  faults.  In  the  case  of  s-a-0 
faults,  each  input-label  w  that  is  a  member  of  I  he  OA’-set  is  covered 
b)  son>e  set  of  primes  and  for  »»  to  be  j>erlurbed  alt  of  those  primes 
must  be  affected  by  some  s-a-0  fault.  If  an  input-label  in  is  a  member 
of  the  OFF-ne t  then  for  each  prime  p  in  T  there  exists  a  k  such  that  m 
is  contained  in  a  D-k-prime  with  respect  to  p.  and  a  multiple  s-a-1  fault 
affecting  any  of  t lie  primes  in  T  may  perturb  m. 

Lemma  5.3  :  Guen  M .  C  and  T  as  above.  and  a  multiple  s-a-J  :»i ter- 
i  ini  fa  ull  f  in  T.  if  f  perturbs  an  i»  p  til. la  be  l  »n  in  G  then  in  is  contained 
wit  hi  n  o  D-k-prime  relahie  to  an  affected  prime  ofT  and  m  is  not  con¬ 
tained  in  any  oihtr  prmu  of  T .  Fuiihe  rmorc .  that  perturbation  results 
in  some  next, state  variable  that  formerly  uos  0  to  become  1. 

Proof:  The  effect  of  an  internal  s-a-1  fault  on  a  prime  is  to  expand 
that  prime  in  the  cover.  The  effect  of  a  number  of  internal  8-a-l  faults 
is  to  expand  each  affected  prime  from  the  cover  in  each  literal  that  is 
s-a-1.  These  expanded  literal*  affect  the  network  in  a  predictable  way: 
Some  input -label*  that  former!)  resulted  in  primary  outputs  and/or 
next  stale  vaiiable*  being  0  now  result  in  those  same  variables  being  1. 
The  input-labels  that  will  be  thus  affected  are  exactly  those  input-labels 
that  are  contained  within  a  D-k-prime  relative  to  an  affected  prime.  Foi 
instance,  if  the  prime  cube  abed  is  affected  bv  faults  a  and  b  s-a-1  then 
anv  input -label  contained  in  the  D-J-primes  ci  bed  or  ab  cd  or  the  D-2- 
primeci  6  cd  will  be  perturbed  h)  this  multiple  fault,  unless  it  is  already 
contained  within  some  other  prime  in  7.  Q.E.D. 

We  wi«h  to  use  thi«  lemma  to  arrive  at  conditions  for  input-labels  to 
remain  FL-disjoint  in  the  pie*oiic»-  of  a  single  internal  s-a-1  fault  in  a 
algebraical!)  factored  multi-level  network. 

Theorem  5.7  :  Gum  M.  G  and  T  as  ahote .  let  A  he  an  algehraic 
factorization  of  T .  Let  n>|  and  m>  he  tiro  input-labels  of  (».  The  tiro 
input-labels  h>]  and  m2  in  G  are  FE-disjoiut  over  internal  s-a-1  faults 
in  A.  if  no  factor  of  A  contains  a  rube  c  such  thal  if  each  literal  of  c 
is  expanded  m  each  prime  in  A  in  which  c  appears,  then  there  does  not 
exist  an  expanded  prime  p  in  T  thal  covers  »»i  and  an  expanded  prime 
y  tn  T  that  core  rs  nij. 

Proof  We  are  concerned  with  identifying  the  circumstances  under 
which  both  ni|  and  m2  are  perturbed  bv  a  single  s-a-1  fault.  For  each 
of  >»i  and  ni;  to  be  perturbed,  it  must  be  contained  in  some  expanded 
cube.  A  s-a-1  fault  in  a  cube  factor  c  results  in  raising  each  literal  of  c 
in  each  prime  in  T  from  which  r  was  factored.  If  no  expansion  result¬ 
ing  from  a  s-a-1  fault  on  anv  factored  cube  simultaneously  covers  i»i 
and  in then  »»»,  and  m2  are  FE-disjoint  under  any  internal  s-a-1  fault. 
Q.E.D. 

To  use  these  results  to  arrive  at  an  algebraic  factorization  A  it.  which 
nij  and  in*  are  FE-disjoint  with  respect  to  any  internal  s-a-1  fault,  it  is 
sufficient  to  consider  the  impact  on  the  network  of  a  6-a-I  fault  on  each 
potential  facior.  Specifically.  during  kernel  extraction,  a  kernel-cube  c 
is  eliminated  from  consideration  as  a  factor,  if  expanding  the  literals  of 
c  in  eacli  prime  in  7  in  which  c  appears,  results  in  an  expanded  prime  p 
thal  covers  i»|  and  an  expanded  prime  a  that  covers  m2.  Similarly,  in 
cube  extraction,  a  cube  c  is  eliminated  from  consideration  as  a  factor, 
if  expanding  the  literals  of  r  in  each  prime  in  T  in  which  c  appears, 
result*  in  an  expanded  prime  p  that  covers  n?i  and  an  expanded  prime 
9  that  covers  1117.  For  example,  assume  we  are  given  the  function  F  = 
abed  -f  abe  d  and  inpul-labels  »»i  =  a  bed  and  twj  =  06  c  d.  The  cube 
ab  woukl  not  be  considered  as  a  factor  because  a  s-a-1  fault  on  06  would 
result  in  >»i  being  perturbed  by  the  expansion  of  the  prime  abed  to  ca 
and  hi 2  being  perturbed  by  the  expansion  of  prime  abc  d  to  c  d. 

5.4  Fault  Simulation 

The  procedures  discussed  in  Section  5.1  seek  to  retain  differentiating 
sequences  by  ensuring  that  an)  fault  which  produces  the  faulty/fault- 
free  state  pair  cannot  corrupt  the  the  differentiating  sequence  for  llml 


pair  in  any  way.  In  this  sen  ion  we  consider  the  situation  in  which  ih- 
fault  that  produces  the  faith) /fault-free  state  paii  doe*  in  fan  conupi 
the  differentiating  sequence,  but  the  differentiating  sequence.  01  a  sub¬ 
sequence  of  it.  still  has  differentiating  behavior  for  the  fault) /fault-free 
state  pair.  The  circumstances  under  which  thi*  condition  occur*  are  *0 
difficult  to  cl  ass  if)  that  we  caii  find  no  genera)  condition  in  svnthesi* 
which  ensures  this.  5  For  tin*  reason  we  suggest  fault  simulation  as 
t he  best  wav  to  recognize  t  he  maintenance  of  a  different  ial  mg  sequence 
even  when  it  i*  corrupted  b)  the  fault  it  was  intended  to  detect. 

To  motivate  tin*  situation,  consider  the  scenario  in  which  nr  ai« 
given  a  circuit  implementing  a  sequential  machine  and  for  each  fault  f 
in  the  circuit  that  produces  a  non-empty  set  of  fault) /fault-free  j*air* 

p  =  {pi.pa - pm)  and  for  each  p,  in  P  we  are  given  a  non-empty  set  of 

differentiating  sequences  S,  =  {s,t.  s,2.  ...  6„„)  that  present |\* detect 
the  fault.  The  implementation  could  have  been  produced  bv  one  of  the 
previous  synthesis  procedures  in  t he  section  or  by  manual  design.  Sim¬ 
ilarly.  the  differentiating  sequences  could  have  been  produced  manual!) 
or  via  automatic  lest -pat tern  generation.  We  then  wish  to  optimize  the 
circuit  in  such  a  way  tliAt  the  full  testability  of  the  circuit  is  retained 
To  be  certain  that  we  have  a  fully  testable  machine  we  wish  to  ensure 
that  these  sequences  are  retained  after  optimization. 

A  simple  approach  to  determine  if  t  he  opt  imized  machine  is  st  ill  fully 
testable  is  to  fault  simulate  each  5,;  on  /.  Jf  the  behavior  of  any 
is  unchanged  by  /  then  a  differentiating  sequence  for  /  clearly  extM* 
The  more  interesting  case  i«  where  the  behavior  of  all  iikmuImms  of  s 
is  changed.  In  this  ca*e  we  furthei  analyze  the  result*  of  1  h<>  fault 
Simula!  ion  of  each  to  see  if  t  he  behavior  of  t  he  fault)  machine  1*  *1  ill 
different  from  the  behavior  of  the  true  machine.  As  long  as  the  behavioi 
differs.  stJ  is  still  a  different  iating  sequence  for  f. 

As  stated  in  Theorem  5. 1 .  we  only  require  one  differentia!  ing  sequence 
for  one  faully/fault-free  stale  pair  produced  bv  a  fault  to  be  retained. 
A  fault  mav  produce  several  fault  y /fault-fire  state  pan*  based  on  uhai 
excitation  vector*  ate  applied.  These  stair  pair*  will  typirallv  hav 
mult  iple  different  iating  sequence*.  A  (  PI  intensive  but  less  frsinctiv« 
procedure  might  simulate  all  possible  different iat ing  sequence*  fot  all 
possible  fault) /fault-free  state  pair*  due  to  a  given  fault,  and  check  to 
see  if  anv  one  of  them  i*  retained  .  A  computational!)  efficient  but  )•**«■ 
optimal/nioie  restrictive  procedure  mav  font*  on  a  particular  diffemii  i- 
ating  sequence  for  each  possible  faulty  /fault-free  state  paii  and  checking 
just  the  one  for  rel-aiunicnt . 

A*  mentioned  earlier,  the  different  iat  ing  sequence*  mav  be  either  sin¬ 
gle  or  multiple  veclot*.  If  the)  con«i*t  of  multiple  vector*  a  situation 
may  arise  where  a  fault  corrupt*  some  input-label  or  output-label  as¬ 
sociated  with  an  intermediate  input  vector,  with  the  result  that  a  sub¬ 
sequence  of  the  original  different  iating  sequence  1*  now  a  diffluent  iat  mil 
sequence  Fot  example,  the  sequence  M  ...*  . .  s,  might  b.  conwpled 
in  such  a  wav  that  the  sub-sequence  * j  . . .  is  now  a  differentiating 
sequence. 

5.5  Optima!  Synthesis  Procedures 

The  procedures  of  Section*  5.1  and  5.4  sought  to  directly  ensure  that 
particular  differentiating  sequences  are  retainer!.  Here  we  review  a  syn¬ 
thesis  procedure  thal  simply  guarantees  that  a  differential  ing  sequence 
for  a  valid/invalid  state  pair  will  always  exist. 

The  procedure  of  [K]  uses  repealed  logic  minimization  to  achieve  FL- 
disjoi  lit  lies*  between  each  of  the  input-labels  in  a  differentiating  s.-. 
quence  of  invalid/valid  (faully/faull-free)  state  pairs  and  I  he  input-lalnd 
w  hose  pert  urbal  ion  caused  the  invalid  faulty  state. 

Given  an  incompletely  specified  combinational  logic  function,  we  can 
obtain  a  prime  and  irredundaut  implementation  of  t he  logic  function, 
in  two-level  or  multi-level  form,  that  lias  the  following  properties: 

1.  An  input  test  vector  exists  for  every  single  sfuck-at  fault  in  the 
logic  network  that  lies  outside  the  don't  cAre  (DC)  set  and  in  tin 
ON  or  OFF-sets. 

2.  At  least  one  of  the  output  values  that  differ  in  the  true  and  faulty 
circuits,  on  the  application  of  this  input  test  vector,  will  not  corre¬ 
spond  to  a  don't  care  output  condition. 

Ill  the  procedure  of  [$].  the  approach  taken  is  that  the  redundancy  of 
Figure  3  exists  because  we  have  not  exploited  the  don't  care  correspond¬ 
ing  to  the  edge  (0.  *3):  we  can  specify  n(0,  *3)  =  (*4.  «2)  and  not 
just  «2.  The  following  procedure  of  repeated  logic  minimization  guar¬ 
antees  upon  convergence  that  equivalent-state  and  invalid-slate  SHFs 
don't  exist  in  the  resulting  machine. 

eUmmate-equivalent-sUte/isomorphUm-SRFs(  S  ): 


1  Specify  «vnlhe«t«  prnreHiir**  ran  exploit  lit*  fart  that  different  iat  mg 
may  be  corrupt rrl  ami  mil!  retained 


iter  —  1  : 
do  { 

If  (  He r  =  I  )  G  =  extract-stg(  5  )  : 
else  G  =  extract-stg(  5"  )  : 
foreacb  (  valid  stale  q  €  G  )  { 

Find  ail  valid  slates  ( i-j -  ..  t-,n)  =  q  : 

Find  ail  invalid  slat  i  ,.  ..  ir„)  =  q  ■ 

DC i  :  fonin(q)  -  rt.  ..  »i*i .  ..  ii'„)  ; 

Find  all  inpul-labf  ,  ,  dilTereulialing  q  and  s  £  q  : 

DC'i  :  fanin(q )  =  (i).  s)  A'i,'  »(',  </)  =  «(i,.  s) 

0(1,.  q)  =  o(i,.  f.  s)  ; 

S'  =  optimise!  S.  DC t .  DC 2  )  : 

IV  s  extract-in  valid- states)  S'  )  : 

5"  =  optimise!  S'.  DC/ 1  )  : 
iter  =  iltr  +  1  ; 

)  while!  S  #  S"  )  : 

} 

The  procedure  optimised  produces  a  prime  and  irredundanl  two- 
level  or  multi-level  network  under  a  don't  care  set.  DCj  corresponds 
to  the  don't  cares  described  above.  DC/  is  a  more  complex  don't  care 
whose  usage  ensures  that  the  invalid  faulty  state  does  not  become  equiv¬ 
alent  to  the  true  valid  slate.  DC  tv  corresponds  to  the  don't  cares  due 
to  invalid  state  codes. 

Theorem  5.8  :  Tltt  proretlim  of  [Kj  gua rantees  that  of  /east  one  in- 
in/nf/i  ir/irf  fauHy/fault-frir  tint)  pmr  pmiincnl  tint  <o  a  fault  possesses 
o  tliffrmitiatiug  ttqutnee  that  is  FE-thsjoini  from  the  input-label  whose 
ptrturbahon  caused  tin  faulty  stalt. 

Proof:  The  procedure  has  specified  don't  cares  corresponding  to  the 
equivalence  of  invalid/valid  stale  pairs,  (liven  that  the  combinational 
logic  implementation  is  prime  and  irredundanl  under  this  don't  rare 
set.  DC i.  we  are  guaranteed  an  input-label  perturbation  outaide  DC\. 
i.i  .  the  faulty  state  produced  by  the  input-label  will  not  be  equivalent 
to  the  true  state  Further,  using  the  don't  care  set.  DC j.  will  ensure 
that  the  fanout  of  the  invalid  faulty  slate  is  not  corrupted  to  make  the 
invalid  state  in  the  faulty  machine  equivalent  to  the  true  state,  i  t.  a 
differentiating  sequence  of  the  invalid/valid  state  pair  produced  will  be 
FEedisjoinl  front  the  perturbed  inpul-label.  Q.E.D. 

Note  that  thi‘  theorem  in  conjunction  with  Theotem  5.2  ensures  full 
testability  for  the  synthesized  sequential  machine 

6  Results 

In  this  section,  we  present  preliminary  experimental  results  using  the 
synthesis  algorithms  presented  in  Section  5. 

A  standard  synthesis  procedure  was  first  adopted.  The  procedure  is 
a«  follows 

1  State  minimization. 

2.  State  assignment  (unconstrained). 

3.  Two-level  Boolean  minimization  using  the  invalid  slates  as  don't 
cares. 

4.  Multi-level  logic  optimization  (both  algebraic  as  well  as  Boolean 
opera!  ions). 

5.  After  synthesis,  tests  were  generated  for  the  circuit  using  the  se¬ 
quential  test  generator.  STALLION. 

first,  we  used  the  synthesis  procedure  described.  The  procedure  was 
as  follows: 

1.  Same  as  Step  I  above. 

2.  Same  as  Step  2  above. 

3.  Two-level  Boolean  minimization  with  constrained  covering. 

4.  If  each  invalid  state  asserts  different  outputs  from  all  the  valid 
stales,  then  an  unconstrained  multi-level  logic  optimisation  step 
was  performed.  Else,  two  different  options  were  exercised. 

(a |  Strictly  algebraic  factorisatioii  was  performed.  After  fac¬ 
torization.  the  resulting  network  was  analyzed  to  check  for 
cube  and  kernel  factors  that  could  potentially  cause  redun¬ 
dancy.  The  nodes  corresponding  to  these  disallowed  factors 
were  gssArrf  (collapsed)  into  their  fnnins. 
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Table  1:  Slat islics  of  Benchmark  Examples 
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(b)  An  unconstrained  multi-level  logic  optimization  wav  ram>-d 
out.  Note  that  in  this  rase,  we  cannot  guarantee  I O0‘/f  testa¬ 
bility. 

5.  Sequential  lest  generation  ran  l>e  |>erformed  more  efficient ly  in  Un¬ 
case  than  via  STALLION,  since  we  already  know  all  the  uiicai- 
rupted  differentiating  sequence-  for  each  possible  faulty /fault-bee 
stale  pail.  Hence,  the  pro|>agaiinn  step  in  STALLION  t-  avoided. 

In  Table  ).  we  give  the  statistics  of  the  benchmark  example-  from 
the  MOM'  Logic  Synthesis  Workshop  and  industrial  source-  The  i. 
suit-  obtained  on  these'  examples  via  miming  the  standaid  -ynihe-i- 
procednre  and  the  two  options  in  the  new  procedure  aie  summarized  in 
Table  2  under  the  columns  STANDAHD.  COVER-A  and  COVEH-H. 
The  number  or  literals  in  the  combinational  logic  (lit),  fault  coverage 
obtained  (frov)  and  the  CPI'  time  for  lest  generation  (tpg  time)  aie 
indicated  in  the  three  cases,  fal  and  b2  are  particularly  victons  exam¬ 
ples.  They  each  have  a  large  number  of  states  and  a  single  output.  All 
the  CPI1  limes  are  on  a  VAX  11/8800. 

COVER- A  results  in  100%  testable  designs  with  small  area  overheads, 
that  require  less  CPI1  time  for  test  generation  than  the  STANDARD 
procedure.  We  cannot  guarantee  full  testability  via  COVER-B.  but  n 
allows  for  the  use  of  more  |K>vverflll  Boolean  operations  and  hence  the 
area  overhead  is  smaller  than  via  COVER-A.  Highly  (>  99'/f )  testable 
realizations  are  obtained  in  all  cases  via  COVER-B. 

We  next  compare  this  approach  with  previously  proposed  synthesis 
approaches  to  achieve  full  testability.  The  comparisons  are  presented  in 
Table  3.  Ibuler  tire  column  COVER,  we  give  tire  result  corresponding  lo 
C'OVER-B.  if  the  resulting  design  was  fully  testable.  Else,  we  give  lire 
result  of  COVER-A.  Tire  column  CONSTRAIN  Iras  tire  results  obtained 
by  using  the  constrained  slate  assignment  and  logic  optimization  pro¬ 
cedure  of  |7).  The  column  OPTSYN  has  the  results  using  the  optimal 
synthesis  procedure  of  (8j.  The  number  of  literals  in  the  combinational 
logic  (lit),  the  CPU  time  for  synthesis  (syn.  time)  and  the  CPI'  time 
required  for  test  generation  (tpg  lime)  are  indicated.  All  the  de.ugns 
via  each  of  the  procedures  are  100%  testable. 

From  the  standpoint  of  CPU  usage  for  minimization  and  test  pat¬ 
tern  generation  lire  CONSTRAIN  procedure  used  the  least  time,  but 
required  modifying  live  original  design.  Unfortunately.  circuit  modifi¬ 
cations  which  modify  interface  descriptions,  such  as  adding  inputs  or 
outputs,  can  be  expensive  (or  impossible!)  in  typical  design  environ¬ 
ments. 

The  COVER  procedure  completed  all  examples  with  modest  to  rea¬ 
sonable  CPU  requirements.  Tire  OPTSYN  procedure  required  lire 
greatest  amounts  of  CPU  and  was  prohibitively  expensive  on  one  exam¬ 
ple. 

In  terms  of  quality  of  result.  OPTS3  N  uniformly  produced  I  lie  small¬ 
est  designs.  COVER'S  results  averaged  were  within  5%  over  all  and  were 
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1  Involves  the  Addition  of  an  extra  inpul  and  output. 

2  The  synthesis  procedure  was  terminated  after  2  hours. 


the  precisely  the  same  as  OPTSYN/s  on  four  examples.  CO VER’s  re¬ 
sults  on  area  were  uniformly  superior  to  the  CONSTRAIN  procedure 
resulting  in  an  average  13 (A  improvement. 

Overall,  these  results  indicate  dial  the  COYER  procedure  improves 
over  the  previous  procedures  front  the  standpoint  of  quality  of  result 
versus  C'Pt*  lime  requirements.  Most  importantly  the  COVER  proce¬ 
dure  is  able  to  handle  designs  that  the  previous  procedures  could  not 
(without  modification). 

These  results  show  that  a  synthesis  user  seeking  complete  testability 
presently  has  a  spectrum  of  methods  at  his  disposal,  and  may  choose  his 
approach  based  on  the  peculiarities  of  the  example  to  be  synthesized  and 
the  relative  importance  of  synthesis  CPI  time.  TPG  time,  final  circuit 
size  ami  the  difficulty  of  incorporating  ciicwii  modifications  into  the 
complete  circuit  design 

7  Conclusions 

A  variety  of  technique*  have  been  proposed  to  address  t he  problem 
of  synthesizing  fully  testable  sequential  machines.  At  one  end  of  the 
spectrum  there  are  optimal  synthesis  procedures  that  ensure  full  testa¬ 
bility  by  eliminating  redundancies  via  .lie  use  of  appropriate  don’t  care 
sets.  At  the  other  end  of  the  spectrum  there  are  constrained  synthe¬ 
sis  procedures  that  produce  fully  ami  easih  testable  sequential  circuit* 
by  restricting  the  implementation  of  the  logic.  In  this  paper  we  at- 
i •*  «u>ted  to  unify  and  extend  t|ie*c  methods.  We  first  identified  cla.**e* 
t-  !  -dum/anries  and  iso/a  ted  <  qirrr  aft uf-stah  tr  dun  dart  errs  as  t hose  tnosi 
till’  ult  to  eliminate.  We  then  showed  that  the  essential  problem  be- 
h  equivalent-stale  redundancies  i*  the  creation  of  valid/invalid  state 
pair*  We  devoted  the  remainder  of  the  paper  to  techniques  for  de¬ 
veloping  difftrcnliahtig  stqutnets  for  valid/invalid  state  pairs  created 
by  a  fault,  as  well  as  to  techniques  for  retaining  these  sequence*  in 
the  presence  that  fault.  We  showed  how  both  optimal  and  constrained 
synthesis  procedures  ensure  differentiating  sequences  and  also  used  the 
notion  of  fault-tfftel  disjoinlntss  to  demonstrate  a  spectrum  of  method* 
that  place  relatively  more-or-le**  emphasis  on  either  logic  optimization 
or  constrained  synthesis.  Techniques  used  in  t hi*-  exploration  included 
fault  simulation.  Boolean  covering,  algebraic  factorization  and  state  as¬ 
signment. 

We  then  compared  the  final  results  of  each  of  these  methods  on  a  num¬ 
ber  of  standard  benchmark  examples  and  showed  that  each  approach 
ha*  its  merits  depending  on  the  relative  importance  of  synthesis  CPl! 
time.  TPG  time,  final  circuit  size  and  the  difficulty  of  incorporating 
circuit  modifications  into  the  complete  circuit  design. 
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